From nobody Wed Jan 14 08:06:12 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4drdwj0MSYz6PLFs for ; Wed, 14 Jan 2026 08:06:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4drdwh53Gwz3KY3 for ; Wed, 14 Jan 2026 08:06:12 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1768377972; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Fk87hurnActn4Beh47302L8ThcCEam6SRSWOoyBiRz0=; b=GYaCRpvJriu/82yNMb52a7GlrsbPW/zV6VNCavOqnVlF7DKwkTceoVECC0T35bguYV1TGy 9KnlN79JLf/MD94xpguJj6Y9xXKvnkIpiLRHITNmWh8/2Cs3xXhL5qc9WU1Xq2zhZWac7Z RrOMwjLVNn3xQrumOstq/VXcRV2Hwi5x0IuLxYqgI8iRo39gVsNKx/jfwFiOYxThlM2D7T pPlAmPyxw8/WnE83xL/yZ67lhCZWLeUYRjHPxgS8Sk0qOly63M8/2XXvHqtNUGA0ZJGw+y uu8bZMu/wC+xD2IdJidnO7QQ7/fmTh/A0eNUMrjsrtrlUz7pfyEBINqlz+3x6Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1768377972; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Fk87hurnActn4Beh47302L8ThcCEam6SRSWOoyBiRz0=; b=Gmn33Y95QANhI8Kdnv5gdhTGVVHd4a8zEFUY7AUhUuS7DlLqIhkrqqDE3mw1J3vGcp8s5G ALTIOTdBS9YiSZ2BTf2y3PIACX6yrxdgP+Dy0vde8TQQbzmgQRRDCnhexpX/fPVSKcI9Th M9O1Zk5kBGMrxVopANuCll3ElnKhEFza3tpZ7Zd5hj+4b6WnzximkhDxJ2CcKtfjFKGmMp hxUbnjey0bFQmbzoro7toWdivYNFJM2JW02v5Io7fNAbGgUEizXX6HsUWHJOSITKW3pNKh KCSrZEVtylU2zTcr2nLqIxaA4eHe0tE+7CjUis1x0fgq6dvH9ZkD9M04SbF0oA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1768377972; a=rsa-sha256; cv=none; b=ZMu4DQX2xOqgEMiH4HXMmgBxwelTOsVXa6mF1r4fJwFR1z0+Wg3Lzz1trh/0o/fDjBi2Az lsJOcBXW/+NnDxrobVsZR4FP+9psRECLBqApIf0FHU9AMMEKOGWsMWILDp+mEAdukIF3tu 9Hq5LVqo6TM/NCSUD6bh/sCaUA9is4kl96D2OrC/8ms56EwUQH3QAkoRYLVQJ7vBe7mqi2 yHVgwMV6noNaemO6eiOj2GHX8lkYVKbCvPGurnVbh8TFc6k3qrnQTsA2C18jR/ZHfT5GsD sYh4D3kjYDFoDeheaAJFrY1i3lWLMlRox2TyDq0EBU62USwHAl5LzMRnaIkOtw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4drdwh4fBYzqKD for ; Wed, 14 Jan 2026 08:06:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id af7a by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 14 Jan 2026 08:06:12 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 393243a38d74 - main - pfctl: ifa_load() in pfctl_parser.c may attempt to read beyond the buffer. List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 393243a38d742e54d93c9c9ddb6c8f95fc0cb72e Auto-Submitted: auto-generated Date: Wed, 14 Jan 2026 08:06:12 +0000 Message-Id: <69674e74.af7a.30c5e251@gitrepo.freebsd.org> The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=393243a38d742e54d93c9c9ddb6c8f95fc0cb72e commit 393243a38d742e54d93c9c9ddb6c8f95fc0cb72e Author: Kristof Provost AuthorDate: 2026-01-12 16:08:35 +0000 Commit: Kristof Provost CommitDate: 2026-01-14 06:44:42 +0000 pfctl: ifa_load() in pfctl_parser.c may attempt to read beyond the buffer. The current ifa_load() is not paranoid enough when it deals with information which comes from kernel. The function just ignores sa_len member in socket address returned getifaddrs(). The issue has been reported by anton@. The idea for fix here comes fromy claudio@. OK @claudio, @deraadt Obtained from: OpenBSD, sashan , a48d060175 Sponsored by: Rubicon Communications, LLC ("Netgate") --- sbin/pfctl/pfctl_parser.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 25d52f4ec823..233f5d641d2c 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1598,11 +1598,17 @@ ifa_load(void) copy_satopfaddr(&n->addr.v.a.addr, ifa->ifa_addr); ifa->ifa_netmask->sa_family = ifa->ifa_addr->sa_family; copy_satopfaddr(&n->addr.v.a.mask, ifa->ifa_netmask); - if (ifa->ifa_broadaddr != NULL) { + if (ifa->ifa_broadaddr != NULL && + ifa->ifa_broadaddr->sa_len != 0) { + ifa->ifa_broadaddr->sa_family = + ifa->ifa_addr->sa_family; ifa->ifa_broadaddr->sa_family = ifa->ifa_addr->sa_family; copy_satopfaddr(&n->bcast, ifa->ifa_broadaddr); } - if (ifa->ifa_dstaddr != NULL) { + if (ifa->ifa_dstaddr != NULL && + ifa->ifa_dstaddr->sa_len != 0) { + ifa->ifa_dstaddr->sa_family = + ifa->ifa_addr->sa_family; ifa->ifa_dstaddr->sa_family = ifa->ifa_addr->sa_family; copy_satopfaddr(&n->peer, ifa->ifa_dstaddr); }